The business benefits of using business applications delivered via software-as-a-service (SaaS) are compelling, and it's clear that this segment of the software market is growing steadily. Compared with traditional information technology systems, SaaS offers organizations lower costs (for deployment, operations and support), pay-as-you-go usage metering, faster implementation, less support overhead and effortless scalability.

Despite the compelling benefits of moving to SaaS, however, many enterprises are reluctant to make the move to the "cloud" due to serious concerns in the areas of data security, data privacy and regulatory compliance. Surveys conducted by analyst firms and publications consistently indicate that concerns regarding data security and regulatory compliance are among the top issues preventing the wider adoption of SaaS by enterprises.

It's no surprise that enterprises are so concerned about storing their business data with third parties as remote data hosting is sometimes legally prohibited in particular industries or jurisdictions, and leaks of sensitive data can prove embarrassing (or worse) to any company. Beyond fines and the other possible legal repercussions of a data breach, organizations face significant business risks. It doesn't matter who or what caused the breach; what matters is that the organization is perceived to have failed in its duty to care for its customers' confidential information. Furthermore, when an organization chooses to store its corporate data at a third party, the organization may be waiving its right to fourth amendment protection from unreasonable search and seizure; law enforcement could potentially seize a company's data from a SaaS vendor's servers without probable cause and without even informing the company that actually owns the data.

Current Data Security Solutions Fail to Address the Concerns
None of the data security solutions commonly used today satisfactorily addresses all of these concerns. While transmission of sensitive data is typically encrypted while in transit, the same sensitive data is stored in SaaS provider databases in plain text, highly vulnerable to various kinds of breaches, whether malicious or accidental. Firewalls provide some protection against outside hackers, but SaaS provider employees can still access the data, as could anyone who gains access to the application via the application layer (e.g., as occurs with identity theft).

The recent security breach of Apple's data stored on AT&T servers is a case in point. 114,000 e-mail addresses of iPad owners, including members of the U.S. military and executives at media, technology and finance companies, were exposed via an unsecured application-level back door. No matter how advanced the security mechanisms in place, no matter how diligent the company and its employees, and no matter how effective the security auditors, data stored in an unencrypted state may always be vulnerable to some kind of unauthorized exposure.

Why Not Store All SaaS Data in an Encrypted State?
One possible solution to this situation would be to encrypt all data for storage on a third-party provider's servers. Even if data were leaked, it would be meaningless, rendering the leak harmless.

While this method is useful for data archives, which do not need to be regularly accessed or processed, it's not viable for operational data because certain application processing would no longer be able to function on encrypted data. For example, an application would be unable to search through encrypted data or to sort it.

Implementing on-the-fly data decryption as part of the application's processes is a possible solution, but it poses two problems of its own. First, the computational overhead required for large-scale encryption-decryption operations is cost and performance prohibitive. Second, as long as the application is decrypting the data, all application-level data security vulnerabilities remain in full force.

A Revolutionary Solution: SaaS Without the Data Security Risks
A comprehensive approach to addressing this situation would be one in which all sensitive data is stored in an encrypted state on the cloud server, while unmodified SaaS applications function normally. This would ensure that no sensitive data could ever be accessed or leaked while in the cloud, completely eliminating the data security, data privacy and regulatory concerns of using SaaS applications.

However, as mentioned earlier, if the data remains encrypted at all times, how can the SaaS application function normally? And if the SaaS application remains unchanged, when and where is the data being encrypted?

A revolutionary solution involves an encryption scheme based on unique implementations of NIST-standard encryption algorithms (such as AES), which allow sensitive data elements to be encrypted in such a way that search and sort operations performed by the application remain unaffected.

This encryption occurs in a fully transparent background process (running on a reverse proxy server) on the customer side, ensuring that the SaaS application and those with access to it never have access to the encryption keys necessary to decrypt the data. When the encrypted data is returned to the client by the application server, all encrypted data elements are automatically identified and decrypted inside the organization's firewall.

The result is that end users are completely unaware of this background process, yet their data is completely unreadable (and therefore meaningless) when stored on the SaaS provider's servers. Database theft, accidental leaks, law enforcement subpoenas to the SaaS provider, and even identity theft all become harmless, and regulatory compliance is ensured, since all sensitive data remains undecipherable when transmitted and stored outside the enterprise firewall.

Of course, the technical details of implementing this approach are not trivial. Interpreting and processing all data traffic between any SaaS application and its Web clients in order to identify the data elements for encryption/decryption is challenging. Implementing encryption algorithms that allow an unmodified application to successfully search and sort encrypted data is even more so. Nevertheless, this approach already exists and promises to change the security landscape of cloud applications.

If, despite the advantages of SaaS, you are holding off moving your organization to the cloud due to data security or regulatory concerns, you owe it to yourself to take a good look at an encryption  solution along the lines of the one described in this article.